fips_rsa_sign.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422
  1. /* fips_rsa_sign.c */
  2. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  3. * project 2007.
  4. */
  5. /* ====================================================================
  6. * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. *
  12. * 1. Redistributions of source code must retain the above copyright
  13. * notice, this list of conditions and the following disclaimer.
  14. *
  15. * 2. Redistributions in binary form must reproduce the above copyright
  16. * notice, this list of conditions and the following disclaimer in
  17. * the documentation and/or other materials provided with the
  18. * distribution.
  19. *
  20. * 3. All advertising materials mentioning features or use of this
  21. * software must display the following acknowledgment:
  22. * "This product includes software developed by the OpenSSL Project
  23. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24. *
  25. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26. * endorse or promote products derived from this software without
  27. * prior written permission. For written permission, please contact
  28. * licensing@OpenSSL.org.
  29. *
  30. * 5. Products derived from this software may not be called "OpenSSL"
  31. * nor may "OpenSSL" appear in their names without prior written
  32. * permission of the OpenSSL Project.
  33. *
  34. * 6. Redistributions of any form whatsoever must retain the following
  35. * acknowledgment:
  36. * "This product includes software developed by the OpenSSL Project
  37. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38. *
  39. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50. * OF THE POSSIBILITY OF SUCH DAMAGE.
  51. * ====================================================================
  52. *
  53. * This product includes cryptographic software written by Eric Young
  54. * (eay@cryptsoft.com). This product includes software written by Tim
  55. * Hudson (tjh@cryptsoft.com).
  56. *
  57. */
  58. #define OPENSSL_FIPSAPI
  59. #include <string.h>
  60. #include <openssl/evp.h>
  61. #include <openssl/rsa.h>
  62. #include <openssl/err.h>
  63. #include <openssl/sha.h>
  64. #include <openssl/fips.h>
  65. #ifdef OPENSSL_FIPS
  66. /* FIPS versions of RSA_sign() and RSA_verify().
  67. * These will only have to deal with SHA* signatures and by including
  68. * pregenerated encodings all ASN1 dependencies can be avoided
  69. */
  70. /* Standard encodings including NULL parameter */
  71. static const unsigned char sha1_bin[] = {
  72. 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
  73. 0x00, 0x04, 0x14
  74. };
  75. static const unsigned char sha224_bin[] = {
  76. 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
  77. 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c
  78. };
  79. static const unsigned char sha256_bin[] = {
  80. 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
  81. 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
  82. };
  83. static const unsigned char sha384_bin[] = {
  84. 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
  85. 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30
  86. };
  87. static const unsigned char sha512_bin[] = {
  88. 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
  89. 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40
  90. };
  91. /* Alternate encodings with absent parameters. We don't generate signature
  92. * using this format but do tolerate received signatures of this form.
  93. */
  94. static unsigned char sha1_nn_bin[] = {
  95. 0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04,
  96. 0x14
  97. };
  98. static unsigned char sha224_nn_bin[] = {
  99. 0x30, 0x2b, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
  100. 0x04, 0x02, 0x04, 0x04, 0x1c
  101. };
  102. static unsigned char sha256_nn_bin[] = {
  103. 0x30, 0x2f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
  104. 0x04, 0x02, 0x01, 0x04, 0x20
  105. };
  106. static unsigned char sha384_nn_bin[] = {
  107. 0x30, 0x3f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
  108. 0x04, 0x02, 0x02, 0x04, 0x30
  109. };
  110. static unsigned char sha512_nn_bin[] = {
  111. 0x30, 0x4f, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
  112. 0x04, 0x02, 0x03, 0x04, 0x40
  113. };
  114. static const unsigned char *fips_digestinfo_encoding(int nid, unsigned int *len)
  115. {
  116. switch (nid)
  117. {
  118. case NID_sha1:
  119. *len = sizeof(sha1_bin);
  120. return sha1_bin;
  121. case NID_sha224:
  122. *len = sizeof(sha224_bin);
  123. return sha224_bin;
  124. case NID_sha256:
  125. *len = sizeof(sha256_bin);
  126. return sha256_bin;
  127. case NID_sha384:
  128. *len = sizeof(sha384_bin);
  129. return sha384_bin;
  130. case NID_sha512:
  131. *len = sizeof(sha512_bin);
  132. return sha512_bin;
  133. default:
  134. return NULL;
  135. }
  136. }
  137. static const unsigned char *fips_digestinfo_nn_encoding(int nid, unsigned int *len)
  138. {
  139. switch (nid)
  140. {
  141. case NID_sha1:
  142. *len = sizeof(sha1_nn_bin);
  143. return sha1_nn_bin;
  144. case NID_sha224:
  145. *len = sizeof(sha224_nn_bin);
  146. return sha224_nn_bin;
  147. case NID_sha256:
  148. *len = sizeof(sha256_nn_bin);
  149. return sha256_nn_bin;
  150. case NID_sha384:
  151. *len = sizeof(sha384_nn_bin);
  152. return sha384_nn_bin;
  153. case NID_sha512:
  154. *len = sizeof(sha512_nn_bin);
  155. return sha512_nn_bin;
  156. default:
  157. return NULL;
  158. }
  159. }
  160. int FIPS_rsa_sign_ctx(RSA *rsa, EVP_MD_CTX *ctx,
  161. int rsa_pad_mode, int saltlen, const EVP_MD *mgf1Hash,
  162. unsigned char *sigret, unsigned int *siglen)
  163. {
  164. unsigned int md_len, rv;
  165. unsigned char md[EVP_MAX_MD_SIZE];
  166. FIPS_digestfinal(ctx, md, &md_len);
  167. rv = FIPS_rsa_sign_digest(rsa, md, md_len,
  168. M_EVP_MD_CTX_md(ctx),
  169. rsa_pad_mode, saltlen,
  170. mgf1Hash, sigret, siglen);
  171. OPENSSL_cleanse(md, md_len);
  172. return rv;
  173. }
  174. int FIPS_rsa_sign_digest(RSA *rsa, const unsigned char *md, int md_len,
  175. const EVP_MD *mhash, int rsa_pad_mode, int saltlen,
  176. const EVP_MD *mgf1Hash,
  177. unsigned char *sigret, unsigned int *siglen)
  178. {
  179. int i=0,j,ret=0;
  180. unsigned int dlen;
  181. const unsigned char *der;
  182. int md_type;
  183. /* Largest DigestInfo: 19 (max encoding) + max MD */
  184. unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE];
  185. FIPS_selftest_check();
  186. md_type = M_EVP_MD_type(mhash);
  187. if (rsa_pad_mode == RSA_X931_PADDING)
  188. {
  189. int hash_id;
  190. memcpy(tmpdinfo, md, md_len);
  191. hash_id = RSA_X931_hash_id(md_type);
  192. if (hash_id == -1)
  193. {
  194. RSAerr(RSA_F_FIPS_RSA_SIGN_DIGEST,RSA_R_UNKNOWN_ALGORITHM_TYPE);
  195. return 0;
  196. }
  197. tmpdinfo[md_len] = (unsigned char)hash_id;
  198. i = md_len + 1;
  199. }
  200. else if (rsa_pad_mode == RSA_PKCS1_PADDING)
  201. {
  202. der = fips_digestinfo_encoding(md_type, &dlen);
  203. if (!der)
  204. {
  205. RSAerr(RSA_F_FIPS_RSA_SIGN_DIGEST,RSA_R_UNKNOWN_ALGORITHM_TYPE);
  206. return 0;
  207. }
  208. memcpy(tmpdinfo, der, dlen);
  209. memcpy(tmpdinfo + dlen, md, md_len);
  210. i = dlen + md_len;
  211. }
  212. else if (rsa_pad_mode == RSA_PKCS1_PSS_PADDING)
  213. {
  214. unsigned char *sbuf;
  215. i = RSA_size(rsa);
  216. sbuf = OPENSSL_malloc(RSA_size(rsa));
  217. if (!sbuf)
  218. {
  219. RSAerr(RSA_F_FIPS_RSA_SIGN_DIGEST,ERR_R_MALLOC_FAILURE);
  220. goto psserr;
  221. }
  222. if (!RSA_padding_add_PKCS1_PSS_mgf1(rsa, sbuf, md, mhash,
  223. mgf1Hash, saltlen))
  224. goto psserr;
  225. j=rsa->meth->rsa_priv_enc(i,sbuf,sigret,rsa,RSA_NO_PADDING);
  226. if (j > 0)
  227. {
  228. ret=1;
  229. *siglen=j;
  230. }
  231. psserr:
  232. OPENSSL_cleanse(sbuf, i);
  233. OPENSSL_free(sbuf);
  234. return ret;
  235. }
  236. j=RSA_size(rsa);
  237. if (i > (j-RSA_PKCS1_PADDING_SIZE))
  238. {
  239. RSAerr(RSA_F_FIPS_RSA_SIGN_DIGEST,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
  240. goto done;
  241. }
  242. /* NB: call underlying method directly to avoid FIPS blocking */
  243. j=rsa->meth->rsa_priv_enc(i,tmpdinfo,sigret,rsa,rsa_pad_mode);
  244. if (j > 0)
  245. {
  246. ret=1;
  247. *siglen=j;
  248. }
  249. done:
  250. OPENSSL_cleanse(tmpdinfo,i);
  251. return ret;
  252. }
  253. int FIPS_rsa_verify_ctx(RSA *rsa, EVP_MD_CTX *ctx,
  254. int rsa_pad_mode, int saltlen, const EVP_MD *mgf1Hash,
  255. unsigned char *sigbuf, unsigned int siglen)
  256. {
  257. unsigned int md_len, rv;
  258. unsigned char md[EVP_MAX_MD_SIZE];
  259. FIPS_digestfinal(ctx, md, &md_len);
  260. rv = FIPS_rsa_verify_digest(rsa, md, md_len, M_EVP_MD_CTX_md(ctx),
  261. rsa_pad_mode, saltlen, mgf1Hash,
  262. sigbuf, siglen);
  263. OPENSSL_cleanse(md, md_len);
  264. return rv;
  265. }
  266. int FIPS_rsa_verify_digest(RSA *rsa, const unsigned char *dig, int diglen,
  267. const EVP_MD *mhash, int rsa_pad_mode, int saltlen,
  268. const EVP_MD *mgf1Hash,
  269. unsigned char *sigbuf, unsigned int siglen)
  270. {
  271. int i,ret=0;
  272. unsigned int dlen;
  273. unsigned char *s;
  274. const unsigned char *der;
  275. int md_type;
  276. int rsa_dec_pad_mode;
  277. if (siglen != (unsigned int)RSA_size(rsa))
  278. {
  279. RSAerr(RSA_F_FIPS_RSA_VERIFY_DIGEST,RSA_R_WRONG_SIGNATURE_LENGTH);
  280. return(0);
  281. }
  282. FIPS_selftest_check();
  283. md_type = M_EVP_MD_type(mhash);
  284. s= OPENSSL_malloc((unsigned int)siglen);
  285. if (s == NULL)
  286. {
  287. RSAerr(RSA_F_FIPS_RSA_VERIFY_DIGEST,ERR_R_MALLOC_FAILURE);
  288. goto err;
  289. }
  290. if (rsa_pad_mode == RSA_PKCS1_PSS_PADDING)
  291. rsa_dec_pad_mode = RSA_NO_PADDING;
  292. else
  293. rsa_dec_pad_mode = rsa_pad_mode;
  294. /* NB: call underlying method directly to avoid FIPS blocking */
  295. i=rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s, rsa, rsa_dec_pad_mode);
  296. if (i <= 0) goto err;
  297. if (rsa_pad_mode == RSA_X931_PADDING)
  298. {
  299. int hash_id;
  300. if (i != (int)(diglen + 1))
  301. {
  302. RSAerr(RSA_F_FIPS_RSA_VERIFY_DIGEST,RSA_R_BAD_SIGNATURE);
  303. goto err;
  304. }
  305. hash_id = RSA_X931_hash_id(md_type);
  306. if (hash_id == -1)
  307. {
  308. RSAerr(RSA_F_FIPS_RSA_VERIFY_DIGEST,RSA_R_UNKNOWN_ALGORITHM_TYPE);
  309. goto err;
  310. }
  311. if (s[diglen] != (unsigned char)hash_id)
  312. {
  313. RSAerr(RSA_F_FIPS_RSA_VERIFY_DIGEST,RSA_R_BAD_SIGNATURE);
  314. goto err;
  315. }
  316. if (memcmp(s, dig, diglen))
  317. {
  318. RSAerr(RSA_F_FIPS_RSA_VERIFY_DIGEST,RSA_R_BAD_SIGNATURE);
  319. goto err;
  320. }
  321. ret = 1;
  322. }
  323. else if (rsa_pad_mode == RSA_PKCS1_PADDING)
  324. {
  325. der = fips_digestinfo_encoding(md_type, &dlen);
  326. if (!der)
  327. {
  328. RSAerr(RSA_F_FIPS_RSA_VERIFY_DIGEST,RSA_R_UNKNOWN_ALGORITHM_TYPE);
  329. return(0);
  330. }
  331. /* Compare, DigestInfo length, DigestInfo header and finally
  332. * digest value itself
  333. */
  334. /* If length mismatch try alternate encoding */
  335. if (i != (int)(dlen + diglen))
  336. der = fips_digestinfo_nn_encoding(md_type, &dlen);
  337. if ((i != (int)(dlen + diglen)) || memcmp(der, s, dlen)
  338. || memcmp(s + dlen, dig, diglen))
  339. {
  340. RSAerr(RSA_F_FIPS_RSA_VERIFY_DIGEST,RSA_R_BAD_SIGNATURE);
  341. goto err;
  342. }
  343. ret = 1;
  344. }
  345. else if (rsa_pad_mode == RSA_PKCS1_PSS_PADDING)
  346. {
  347. ret = RSA_verify_PKCS1_PSS_mgf1(rsa, dig, mhash, mgf1Hash,
  348. s, saltlen);
  349. if (ret < 0)
  350. ret = 0;
  351. }
  352. err:
  353. if (s != NULL)
  354. {
  355. OPENSSL_cleanse(s, siglen);
  356. OPENSSL_free(s);
  357. }
  358. return(ret);
  359. }
  360. #endif